Preparing Your Primary School for the New General Data Protection Regulation (GDPR)

Our world is becoming increasingly dependent on digital data. Most aspects of our personal and professional lives (banking, paying bills, socialising, buying groceries etc.) can now be processed online, using a variety of digital tools and apps. This is as true with your primary school as any other institution, organisation, or enterprise, with records and administration now almost entirely computer-based.

With this growing integration of digital tools comes greater concern over our data’s safety. The General Data Protection Regulation (GDPR) will be launched in the UK on May 28th 2018; as a replacement to the Data Protection Act, this aims to reinforce the safety of critical information online.

As we are now approaching the close of 2017 with alarming speed, your primary school must take steps to ensure you comply with the GDPR in full.

How can you do this?

Find Your Own Data Protection Officer

Various types of data will be processed in your primary school, applying to your students and staff alike. This covers small everyday administration tasks (preparing letters to parents) and bigger undertakings (processing payments, handling complaints etc.) alike, and to ensure vital information remains safe, you will need a designated data protection officer (DPO).

You may have someone currently performing a role such as this in your school, but once the GDPR comes into effect, the specific qualifications and experience required will be much more strict. A member of staff will unlikely have time to perform their standard work and act as the DPO as a side project.

A new employee with the knowledge and training to take on this role should be recruited ahead of the GDPR’s introduction. You may be able to effectively ‘share’ your DPO with other schools or educational institutions within your area, but they will need to be accessible and able to help when needed.

Acquire Relevant Data Only

Once the GDPR comes into effect, breaching students’ or staff’s rights, or failing to comply with the regulations in full, could see you fined either 4 percent of turnover, or as much as 20 million Euro – whichever is greater.

It is absolutely essential, then, to make sure that any sensitive data you hold pertaining to students or staff has been collected for specific needs. Details on ethnicity classification, religious belief, and health records are all regarded as sensitive data, and your school must ensure that you have no information that could be seen as a breach.

You should also retain such data for as long as your school believes necessary – remove it from your records as soon as possible once such time has passed. Perform an audit of your school’s information and make a note of the data you currently hold, how you came to hold it, and who else has seen it.

Any piece of information you hold without being entitled to could be seen as a breach, and incur significant penalties. Take the time to minimize this risk as far as possible.

Understanding Consent

Any data held on children or adults must be provided with suitable consent. As your primary school is responsible for the education and well-being of very young children, suitable consent is typically provided by their parents or guardians.

When acquiring this consent, proper documentation must be provided, detailing the reasons such information is required and how it will be used. Once GDPR comes into effect, consent will be scrutinised much more closely, and you need to ensure well ahead of the regulations’ introduction that your school makes sure all consent is fully-informed.

Releasing a bespoke mobile app for your primary school can create a simple, user-friendly gateway for busy parents or guardians. Acquiring consent may be as easy as hosting documents on the app, enabling caregivers to read them on their smartphone or tablet before granting permission.

Recognising Legal Rights

Parents are, understandably, concerned about what data bodies hold regarding their children. Though they are much more likely to trust that your primary school will behave with the child’s best interests in mind, they may still want to ascertain the kinds of information you possess, how this is used, and who else this may be shared with.

Under the DPA, people have had a right to request such information, but this will only expand once the GDPR is introduced in the UK next year. The regulations clarify that individuals can gain access to their personal data and be sure that it is being processed in a lawful, proper manner.

Your primary school has to take this into consideration and be prepared to provide such key information free of charge (the DPA’s £10 subject access fee will be dropped once the GDPR is introduced); if someone requests access to their data without good reason or repetitively, you will have the right to request a reasonable charge for your effort (provided it is a realistic reflection of your administrative cost).

All information must be provided within 30 days of the request, with a minimum of delay, though in the event such subject access requests are excessive, the deadline may be extended to two months instead. You should inform parents and guardians of their legal rights on your school website, in clear terms.

Spread the Word

Last, but by no means least, you must ensure the key decision-makers and staff-members within your primary school are aware of the GDPR’s incoming introduction, and what this will mean for them.

While they may think the DPA’s phasing out and the GDPR’s arrival has little to no impact on their day to day work, they must be made to see how the entire school’s daily processes will alter. Any slight oversight or processing error could lead to a breach of a student or employee’s rights, incurring potentially damaging penalties.

Gather the aforementioned key decision-makers and team-members, and explore the new changes, the ramifications, and the steps being taken to address them.

Doing so can help ensure your primary school is fully prepared for the GDPR’s introduction, and mean data is processed in the safest, most secure way in years to come. You should make sure parents and guardians are fully-informed too, perhaps by sending letters and presenting details of the GDPR on your school website.

The General Data Protection Regulation will mean some significant changes for your primary school, but by planning ahead, staying informed, and keeping parents / guardians in the loop, you can embrace the new regulations with minimal upheaval.